HAA 2021-006: HITRUST MyCSF Preview of Assessment Changes Including CSF Version Upgrades

October 19, 2021

Overview
On or before December 4, 2021, HITRUST will introduce a new feature in MyCSF to allow Assessed Entities to preview the effects of upgrading the CSF version or making any other changes which impact the composition of a HITRUST CSF Validated or Readiness Assessment before the change is made.

Update: This feature is now available.

CSF Version Upgrade for a HITRUST CSF Validated or Readiness Assessment
Consistent with the CSF Versioning Policy announced in HAA 2021-005, all new versions of the HITRUST CSF will be displayed in MyCSF using the versioning syntax of v[Major].[Minor].[Errata]. In order to provide further transparency into the updates introduced in each new major, minor, and errata version of the CSF, MyCSF will allow Assessed Entities to preview the effects of upgrading their assessment to a new CSF version. The MyCSF preview functionality provides a high-level summary and a detailed report of all modifications that would result from upgrading the CSF version utilized for a particular assessment.

The Assessed Entity may preview and upgrade the CSF version at any time while the assessment is in the Answering Assessment state prior to any assessment domains being submitted to the External Assessor for validation.

If any new major, minor, or errata versions of the CSF are available, MyCSF displays the upgrade options to the Assessed Entity upon accessing any of the following pages:

Organization Information
Assessment Options
Systems
Facilities
Default Scoring Profile
Factors

The upgrade options could include the following based upon the version of the CSF that the assessment currently utilizes:

The most recently released errata version for the same minor CSF version that the assessment is currently utilizing (Example: v9.5.0 to v9.5.1)
The most recently released minor version for the same major CSF version that the assessment is currently utilizing (Example: v9.4 to v9.5.1)
The most recently released major version of the CSF (Example: v8 to v9.5.1)

The Assessed Entity is presented with the option to preview the differences between their current assessment and the assessment that would be created upon upgrading to the version of the library selected by the Assessed Entity. MyCSF displays a high-level summary of the differences, and the Assessed Entity is presented with the option to download a detailed report of all modifications to the assessment including, but not limited to:

Addition, Removal, or Modification of a Requirement Statement
Modification of a Requirement Statement’s Illustrative Procedure
Factor Added or Removed from a Requirement Statement
Addition or Removal of an Authoritative Source Mapping for a Requirement Statement
Modification of the Control Level Implementation of a Requirement Statement
Modification of a Requirement Statement’s Control Reference, Control Objective, and / or Control Category
Modification of a Requirement Statement’s Assessment Domain

After previewing the changes, the Assessed Entity has the option to either proceed with updating the CSF Version or to not apply the update.

Previewing a change to the composition of a HITRUST CSF Validated or Readiness Assessment
The preview functionality described above is also available at any time that the Assessed Entity attempts to make a change within MyCSF which will result in a modification to the composition of their HITRUST CSF Validated or Readiness Assessment. Examples of these changes include:

Changing a Factor response
Changing the following options on the Assessment Options page
Would you like only the controls required for certification or ALL CSF security controls?
Include privacy controls?

When making such a change to the assessment, MyCSF displays a high-level summary of the differences and the Assessed Entity is presented with the option to download a detailed report of all modifications to the assessment including, but not limited to:

Addition, Removal, or Modification of a Requirement Statement
Modification of a Requirement Statement’s Illustrative Procedure
Factor Added or Removed from a Requirement Statement
Addition or Removal of an Authoritative Source Mapping for a Requirement Statement
Modification of the Control Level Implementation of a Requirement Statement
Modification of a Requirement Statement’s Control Reference, Control Objective, and / or Control Category
Modification of a Requirement Statement’s Assessment Domain

After previewing the changes, the Assessed Entity has the option to either proceed with making the previewed changes or to not apply them.

Implementation
The CSF version upgrade and preview functionality described above will be implemented for all HITRUST CSF Validated and Readiness Assessments on or before December 4, 2021.

Update: This feature is now available.

Subscribe to get updates,
news, and industry information.

Subscribe

HAA 2021-006: HITRUST MyCSF Preview of Assessment Changes Including CSF Version Upgrades

You may also be interested in:

HAA 2024-002: CSF Version 11.3 Release HAA 2024-002: CSF Version 11.3 Release

HAA 2024-003: CSF v11.2 Creation Deadline for e1 and i1 Assessments HAA 2024-003: CSF v11.2 Creation Deadline for e1 and i1 Assessments

HAA 2016-004: HITRUST CSF Assurance Program Change Related to the Addition of a Required Control for Certification in HITRUST CSF V8 HAA 2016-004: HITRUST CSF Assurance Program Change Related to the Addition of a Required Control for Certification in HITRUST CSF V8

Subscribe to get updates,news, and industry information.

Chat Now

HAA 2021-006: HITRUST MyCSF Preview of Assessment Changes Including CSF Version Upgrades

HAA 2024-003: CSF v11.2 Creation Deadline for e1 and i1 Assessments

HAA 2016-004: HITRUST CSF Assurance Program Change Related to the Addition of a Required Control for Certification in HITRUST CSF V8

Subscribe to get updates,
news, and industry information.